Influxdata
/
chronograf
mirror of https://github.com/influxdata/chronograf.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add documentation for running Chronograf with TLS

pull/873/head
Chris Goller 2017-02-14 10:32:37 -06:00
parent 442b892bc3
commit 9b956f7c90
2 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -107,6 +107,9 @@ A UI for [Kapacitor](https://github.com/influxdata/kapacitor) alert creation and
* View all active alerts at a glance on the alerting dashboard * View all active alerts at a glance on the alerting dashboard
* Enable and disable existing alert rules with the check of a box * Enable and disable existing alert rules with the check of a box
### TLS/HTTPS support
See [Chronograf with TLS](https://github.com/influxdata/chronograf/blob/master/docs/tls.md) for more information.
### GitHub OAuth Login ### GitHub OAuth Login
See [Chronograf with OAuth 2.0](https://github.com/influxdata/chronograf/blob/master/docs/auth.md) for more information. See [Chronograf with OAuth 2.0](https://github.com/influxdata/chronograf/blob/master/docs/auth.md) for more information.

74
docs/tls.md Normal file
View File

@ -0,0 +1,74 @@
## Chronograf TLS
Chronograf supports TLS to securely communicate between the browser and server via
HTTPS.
We recommend using HTTPS with Chronograf. If you are not using a TLS termination proxy,
you can run Chronograf's server with TLS connections.
### TL;DR
```sh
chronograf --cert=my.crt --key=my.key
```
### Running Chronograf with TLS
Chronograf server has command line and environment variable options to specify
the certificate and key files. The server reads and parses a public/private key
pair from these files. The files must contain PEM encoded data.
In Chronograf all command line options also have a corresponding environment
variable.
To specify the the certificate file either use the `--cert` CLI option or `TLS_CERTIFICATE`
environment variable.
To specify the key file either use the `--key` CLI option or `TLS_PRIVATE_KEY`
environment variable.
#### Example with CLI options
```sh
chronograf --cert=my.crt --key=my.key
```
#### Example with environment variables
```sh
TLS_CERTIFICATE=my.crt TLS_PRIVATE_KEY=my.key chronograf
```
#### Docker example with environment variables
```sh
docker run -v /host/path/to/certs:/certs -e TLS_CERTIFICATE=/certs/my.crt -e TLS_PRIVATE_KEY=/certs/my.key quay.io/influxdb/chronograf:latest
```
### Testing with self-signed certificates
In a production environment you should not use self-signed certificates. However,
for testing it is fast to create your own certs.
To create a cert and key in one file with openssl:
```sh
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout testing.pem -out testing.pem -subj "/CN=localhost" -days 365
```
If the cert and the key are in the same file, you don't have to specify the
`TLS_PRIVATE_KEY` option.
Next, set the environment variable `TLS_CERTIFICATE`:
```sh
export TLS_CERTIFICATE=$PWD/testing.pem
```
Run chronograf:
```sh
./chronograf
INFO[0000] Serving chronograf at https://[::]:8888 component=server
```
In the first log message you should `https` rather than `http`.